Evolving vulnerabilities in the education sector: How can organizations become more resilient?
In 2022, the education sector experienced a 44 percent increase in cyberattacks. In the UK alone, six in ten higher education institutes reported experiencing at least weekly attacks or breaches. This increasing number of threats to the sector is causing major disruptions to teaching and even forcing schools and universities to shut down.
When it comes to prioritizing security and adopting latest technology, the education sector has always lagged behind other major industries. This lack of urgency is party the reason why education is such a vulnerable target. Many schools are still using outdated and unprotected technology that is easy to infiltrate. Despite not being a cash-rich target, these facilities hold a wealth of personal and financial data, which can be used in future attacks or sold on the dark web.
A lot of these breaches are caused by a combination of factors such as credential stuffing, bad password management, and software vulnerabilities. So, both educational institutions and EduTech providers must play a more diligent role in protecting this sector. While organizations need to optimise their legacy security practices and improve awareness, EduTech vendors must also try to bridge this gap by integrating proactive security measures within their solutions and systems.
The risks and vulnerabilities threatening the education sector
When it comes to sufficient product security measures and updates, EduTech developers aren’t necessarily doing enough to protect their clients from damaging cyberattacks.
In our recent investigation, Rapid7 found critical vulnerabilities impacting cached credentials in the web learning solution of Cengage, one of the leading EduTech providers in the US. Cengage offers several digital solutions to higher education institutes, including e-textbooks, online learning platforms, and homework tools.
The vulnerabilities identified in their Learning Tools Integration (LTI) pipeline can allow threat actors to access a user’s browser session or the network proxy logs. From there, they can read or change a student’s personal information or even potentially hijack a teacher or administrator’s sessions.
Not all vulnerabilities, however, come from the vendor's products and solutions. Educational institutions are also a hotbed for shared computers, for example. Many students and teachers often use the same computers between themselves, increasing the damage that can be done if a certain device or user account is compromised. A recent study found that higher education sectors consistently scored lowest in proactive security awareness. This creates a rather easy scope for threat actors to compromise a machine and use lateral movement to gain higher admin access and compromise the entire network.
The impact of cyberattacks on the Education Sector
In this sector, a lack of awareness and oversight from EduTech developers can come at a high cost, and unfortunately, it's the students and teachers who end up paying for it. Attackers often aim to disrupt access to essential digital resources on a school's network, which can halt learning and the delivery of services -- leaving students without the ability to access lectures, submit assignments, or access other critical resources.
In many cases, attackers also demand ransomware payments, putting already struggling educational institutions under further financial strain. Last year, Illinois' Lincoln College was forced to cease operating after a ransomware attack that compounded its financial difficulties following the COVID-19 pandemic. The attack disrupted admission activities and institutional data, thereby significantly impacting enrollment projections for the following academic year.
Similarly, the University of Portsmouth in the UK was impacted by a ransomware attack that forced the partial closure of its campus and delayed the start of the new term, causing further disruption for students already dealing with the challenges of the pandemic.
While disruptions to higher education can be significant, the potential impact of a ransomware attack on a primary school could be far-reaching, with parents potentially having to stay home from work if their child's school is forced to close. Suddenly, a cyberattack not only affects the education sector but businesses across different industries as well.
Taking a proactive stance
EduTech developers must take greater responsibility in supporting the education sector to defend against cyberattacks. Tech provided to schools, universities, and other teaching institutions must be regularly updated, and vulnerabilities must be patched as quickly as possible. Better processes for reporting vulnerabilities and timely patches must be established, and strong communication should be maintained when updates become available.
Educators should also ask probing questions of technology vendors regarding their experience with secure software development, vulnerability reporting processes, and typical patch cycles. The presence of a published Vulnerability Disclosure Program (VDP) is an excellent indicator that a company is aware of modern vulnerability practices.
Securing schools can be challenging due to tight budgets, and potential conflicts between security concepts like proxies and firewalls and academic freedom. There may even be an additional internal threat from patient student hackers attempting to attack their own network. Collaboration between EduTech providers and educators is necessary to ensure both parties understand the importance of secure network design and transparent vulnerability reporting processes.
Network segmentation is a useful way to prevent lateral movement by attackers and contain a breach within a network. Education providers should also be reminded of good cyber hygiene practices such as shared computer use and password length. Implementing better practices across the teaching establishment can have a significant impact on preventing attacks. A more complex password and a locked shared workstation can provide greater protection against attacks than many may realize.
These proactive practices, along with better cyber hygiene from educational institutions, can build resilience and help organizations avoid continual disruptions to teaching and potential closure as an impact of cyberattacks.
Image credit: Rawpixel/depositphotos.com
Tod Beardsley is Director of Research at Rapid7.